microsoft
diff --git a/‎include/llvm/FuzzMutate/IRMutator.h‎
Lines changed: 106 additions & 0 deletions b/‎include/llvm/FuzzMutate/IRMutator.h‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎include/llvm/FuzzMutate/OpDescriptor.h‎
Lines changed: 193 additions & 0 deletions b/‎include/llvm/FuzzMutate/OpDescriptor.h‎
Lines changed: 193 additions & 0 deletions
diff --git a/‎include/llvm/FuzzMutate/Operations.h‎
Lines changed: 54 additions & 0 deletions b/‎include/llvm/FuzzMutate/Operations.h‎
Lines changed: 54 additions & 0 deletions
@@ -0,0 +1,106 @@
+//===-- IRMutator.h - Mutation engine for fuzzing IR ------------*- C++ -*-===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Provides the IRMutator class, which drives mutations on IR based on a
+// configurable set of strategies. Some common strategies are also included
+// here.
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZMUTATE_IRMUTATOR_H
+#define LLVM_FUZZMUTATE_IRMUTATOR_H
+
+#include "llvm/FuzzMutate/OpDescriptor.h"
+#include "llvm/Support/ErrorHandling.h"
+
+namespace llvm {
+class BasicBlock;
+class Function;
+class Instruction;
+class Module;
+
+struct RandomIRBuilder;
+
+/// Base class for describing how to mutate a module. mutation functions for
+/// each IR unit forward to the contained unit.
+class IRMutationStrategy {
+public:
+  virtual ~IRMutationStrategy() = default;
+
+  /// Provide a weight to bias towards choosing this strategy for a mutation.
+  ///
+  /// The value of the weight is arbitrary, but a good default is "the number of
+  /// distinct ways in which this strategy can mutate a unit". This can also be
+  /// used to prefer strategies that shrink the overall size of the result when
+  /// we start getting close to \c MaxSize.
+  virtual uint64_t getWeight(size_t CurrentSize, size_t MaxSize,
+                             uint64_t CurrentWeight) = 0;
+
+  /// @{
+  /// Mutators for each IR unit. By default these forward to a contained
+  /// instance of the next smaller unit.
+  virtual void mutate(Module &M, RandomIRBuilder &IB);
+  virtual void mutate(Function &F, RandomIRBuilder &IB);
+  virtual void mutate(BasicBlock &BB, RandomIRBuilder &IB);
+  virtual void mutate(Instruction &I, RandomIRBuilder &IB) {
+    llvm_unreachable("Strategy does not implement any mutators");
+  }
+  /// @}
+};
+
+using TypeGetter = std::function<Type *(LLVMContext &)>;
+
+/// Entry point for configuring and running IR mutations.
+class IRMutator {
+  std::vector<TypeGetter> AllowedTypes;
+  std::vector<std::unique_ptr<IRMutationStrategy>> Strategies;
+
+public:
+  IRMutator(std::vector<TypeGetter> &&AllowedTypes,
+            std::vector<std::unique_ptr<IRMutationStrategy>> &&Strategies)
+      : AllowedTypes(std::move(AllowedTypes)),
+        Strategies(std::move(Strategies)) {}
+
+  void mutateModule(Module &M, int Seed, size_t CurSize, size_t MaxSize);
+};
+
+/// Strategy that injects operations into the function.
+class InjectorIRStrategy : public IRMutationStrategy {
+  std::vector<fuzzerop::OpDescriptor> Operations;
+
+  fuzzerop::OpDescriptor chooseOperation(Value *Src, RandomIRBuilder &IB);
+
+public:
+  InjectorIRStrategy(std::vector<fuzzerop::OpDescriptor> &&Operations)
+      : Operations(std::move(Operations)) {}
+  static std::vector<fuzzerop::OpDescriptor> getDefaultOps();
+
+  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,
+                     uint64_t CurrentWeight) override {
+    return Operations.size();
+  }
+
+  using IRMutationStrategy::mutate;
+  void mutate(Function &F, RandomIRBuilder &IB) override;
+  void mutate(BasicBlock &BB, RandomIRBuilder &IB) override;
+};
+
+class InstDeleterIRStrategy : public IRMutationStrategy {
+public:
+  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,
+                     uint64_t CurrentWeight) override;
+
+  using IRMutationStrategy::mutate;
+  void mutate(Function &F, RandomIRBuilder &IB) override;
+  void mutate(Instruction &Inst, RandomIRBuilder &IB) override;
+};
+
+} // end llvm namespace
+
+#endif // LLVM_FUZZMUTATE_IRMUTATOR_H
@@ -0,0 +1,193 @@
+//===-- OpDescriptor.h ------------------------------------------*- C++ -*-===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Provides the fuzzerop::Descriptor class and related tools for describing
+// operations an IR fuzzer can work with.
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZMUTATE_OPDESCRIPTOR_H
+#define LLVM_FUZZMUTATE_OPDESCRIPTOR_H
+
+#include "llvm/ADT/ArrayRef.h"
+#include "llvm/ADT/STLExtras.h"
+#include "llvm/ADT/SmallVector.h"
+#include "llvm/IR/Constants.h"
+#include "llvm/IR/DerivedTypes.h"
+#include "llvm/IR/Type.h"
+#include "llvm/IR/Value.h"
+#include <functional>
+
+namespace llvm {
+namespace fuzzerop {
+
+/// @{
+/// Populate a small list of potentially interesting constants of a given type.
+void makeConstantsWithType(Type *T, std::vector<Constant *> &Cs);
+std::vector<Constant *> makeConstantsWithType(Type *T);
+/// @}
+
+/// A matcher/generator for finding suitable values for the next source in an
+/// operation's partially completed argument list.
+///
+/// Given that we're building some operation X and may have already filled some
+/// subset of its operands, this predicate determines if some value New is
+/// suitable for the next operand or generates a set of values that are
+/// suitable.
+class SourcePred {
+public:
+  /// Given a list of already selected operands, returns whether a given new
+  /// operand is suitable for the next operand.
+  using PredT = std::function<bool(ArrayRef<Value *> Cur, const Value *New)>;
+  /// Given a list of already selected operands and a set of valid base types
+  /// for a fuzzer, generates a list of constants that could be used for the
+  /// next operand.
+  using MakeT = std::function<std::vector<Constant *>(
+      ArrayRef<Value *> Cur, ArrayRef<Type *> BaseTypes)>;
+
+private:
+  PredT Pred;
+  MakeT Make;
+
+public:
+  /// Create a fully general source predicate.
+  SourcePred(PredT Pred, MakeT Make) : Pred(Pred), Make(Make) {}
+  SourcePred(PredT Pred, NoneType) : Pred(Pred) {
+    Make = [Pred](ArrayRef<Value *> Cur, ArrayRef<Type *> BaseTypes) {
+      // Default filter just calls Pred on each of the base types.
+      std::vector<Constant *> Result;
+      for (Type *T : BaseTypes) {
+        Constant *V = UndefValue::get(T);
+        if (Pred(Cur, V))
+          makeConstantsWithType(T, Result);
+      }
+      if (Result.empty())
+        report_fatal_error("Predicate does not match for base types");
+      return Result;
+    };
+  }
+
+  /// Returns true if \c New is compatible for the argument after \c Cur
+  bool matches(ArrayRef<Value *> Cur, const Value *New) {
+    return Pred(Cur, New);
+  }
+
+  /// Generates a list of potential values for the argument after \c Cur.
+  std::vector<Constant *> generate(ArrayRef<Value *> Cur,
+                                   ArrayRef<Type *> BaseTypes) {
+    return Make(Cur, BaseTypes);
+  }
+};
+
+/// A description of some operation we can build while fuzzing IR.
+struct OpDescriptor {
+  unsigned Weight;
+  SmallVector<SourcePred, 2> SourcePreds;
+  std::function<Value *(ArrayRef<Value *>, Instruction *)> BuilderFunc;
+};
+
+static inline SourcePred onlyType(Type *Only) {
+  auto Pred = [Only](ArrayRef<Value *>, const Value *V) {
+    return V->getType() == Only;
+  };
+  auto Make = [Only](ArrayRef<Value *>, ArrayRef<Type *>) {
+    return makeConstantsWithType(Only);
+  };
+  return {Pred, Make};
+}
+
+static inline SourcePred anyType() {
+  auto Pred = [](ArrayRef<Value *>, const Value *V) {
+    return !V->getType()->isVoidTy();
+  };
+  auto Make = None;
+  return {Pred, Make};
+}
+
+static inline SourcePred anyIntType() {
+  auto Pred = [](ArrayRef<Value *>, const Value *V) {
+    return V->getType()->isIntegerTy();
+  };
+  auto Make = None;
+  return {Pred, Make};
+}
+
+static inline SourcePred anyFloatType() {
+  auto Pred = [](ArrayRef<Value *>, const Value *V) {
+    return V->getType()->isFloatingPointTy();
+  };
+  auto Make = None;
+  return {Pred, Make};
+}
+
+static inline SourcePred anyPtrType() {
+  auto Pred = [](ArrayRef<Value *>, const Value *V) {
+    return V->getType()->isPointerTy();
+  };
+  auto Make = [](ArrayRef<Value *>, ArrayRef<Type *> Ts) {
+    std::vector<Constant *> Result;
+    // TODO: Should these point at something?
+    for (Type *T : Ts)
+      Result.push_back(UndefValue::get(PointerType::getUnqual(T)));
+    return Result;
+  };
+  return {Pred, Make};
+}
+
+static inline SourcePred anyAggregateType() {
+  auto Pred = [](ArrayRef<Value *>, const Value *V) {
+    return V->getType()->isAggregateType();
+  };
+  // TODO: For now we only find aggregates in BaseTypes. It might be better to
+  // manufacture them out of the base types in some cases.
+  auto Find = None;
+  return {Pred, Find};
+}
+
+static inline SourcePred anyVectorType() {
+  auto Pred = [](ArrayRef<Value *>, const Value *V) {
+    return V->getType()->isVectorTy();
+  };
+  // TODO: For now we only find vectors in BaseTypes. It might be better to
+  // manufacture vectors out of the base types, but it's tricky to be sure
+  // that's actually a reasonable type.
+  auto Make = None;
+  return {Pred, Make};
+}
+
+/// Match values that have the same type as the first source.
+static inline SourcePred matchFirstType() {
+  auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
+    assert(!Cur.empty() && "No first source yet");
+    return V->getType() == Cur[0]->getType();
+  };
+  auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *>) {
+    assert(!Cur.empty() && "No first source yet");
+    return makeConstantsWithType(Cur[0]->getType());
+  };
+  return {Pred, Make};
+}
+
+/// Match values that have the first source's scalar type.
+static inline SourcePred matchScalarOfFirstType() {
+  auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
+    assert(!Cur.empty() && "No first source yet");
+    return V->getType() == Cur[0]->getType()->getScalarType();
+  };
+  auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *>) {
+    assert(!Cur.empty() && "No first source yet");
+    return makeConstantsWithType(Cur[0]->getType()->getScalarType());
+  };
+  return {Pred, Make};
+}
+
+} // end fuzzerop namespace
+} // end llvm namespace
+
+#endif // LLVM_FUZZMUTATE_OPDESCRIPTOR_H
@@ -0,0 +1,54 @@
+//===-- Operations.h - ----------------------------------------*- C++ -*-===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Implementations of common fuzzer operation descriptors for building an IR
+// mutator.
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZMUTATE_OPERATIONS_H
+#define LLVM_FUZZMUTATE_OPERATIONS_H
+
+#include "llvm/FuzzMutate/OpDescriptor.h"
+#include "llvm/IR/InstrTypes.h"
+#include "llvm/IR/Instruction.h"
+
+namespace llvm {
+
+/// Getters for the default sets of operations, per general category.
+/// @{
+void describeFuzzerIntOps(std::vector<fuzzerop::OpDescriptor> &Ops);
+void describeFuzzerFloatOps(std::vector<fuzzerop::OpDescriptor> &Ops);
+void describeFuzzerControlFlowOps(std::vector<fuzzerop::OpDescriptor> &Ops);
+void describeFuzzerPointerOps(std::vector<fuzzerop::OpDescriptor> &Ops);
+void describeFuzzerAggregateOps(std::vector<fuzzerop::OpDescriptor> &Ops);
+void describeFuzzerVectorOps(std::vector<fuzzerop::OpDescriptor> &Ops);
+/// @}
+
+namespace fuzzerop {
+
+/// Descriptors for individual operations.
+/// @{
+OpDescriptor binOpDescriptor(unsigned Weight, Instruction::BinaryOps Op);
+OpDescriptor cmpOpDescriptor(unsigned Weight, Instruction::OtherOps CmpOp,
+                             CmpInst::Predicate Pred);
+OpDescriptor splitBlockDescriptor(unsigned Weight);
+OpDescriptor gepDescriptor(unsigned Weight);
+OpDescriptor extractValueDescriptor(unsigned Weight);
+OpDescriptor insertValueDescriptor(unsigned Weight);
+OpDescriptor extractElementDescriptor(unsigned Weight);
+OpDescriptor insertElementDescriptor(unsigned Weight);
+OpDescriptor shuffleVectorDescriptor(unsigned Weight);
+/// @}
+
+} // end fuzzerop namespace
+
+} // end llvm namespace
+
+#endif // LLVM_FUZZMUTATE_OPERATIONS_H